To share an object, you use access control lists(ACLs). To set the ACL of an object,
you must have the WRITE_ACP permission for the object.
Depending on your application
architecture and needs, you can set the ACLs using the request headers or the body of
the request. When setting access permissions, you can use predefined ACL and specify
the type with the
x-amz-acl header, or explicitly specify the
permissions you grant with the following headers:
x-amz-grant-readx-amz-grant-read-acpx-amz-grant-write-acpx-amz-grant-full-control
To grant permissions, you specify the grantee of the permission as a
type-value pair. Following are the available grantee types:
- To use the user name of an organization user, use the
id
type.
- To grant permissions to a predefined group, use the
uri
type.
For more information about working with ACLs, see https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html.
Following the steps in the current
procedure, you assign the Read of Object, the
Write of Object, and the Write of
Bucket permissions to an organization user. Then assign
Public Read permissions for the object.
Prerequisites
- Verify that you created an object in a bucket. For example,
report_dec.xlsx, in the
Reports bucket.
- Verify that you have WRITE_ACP permissions for the
report_dec.xlsx object and for
the Reports bucket.
Procedure
-
Assign Read of
Object permissions to an organization user.
If you use path-style requests, use the following format for your
request:
PUT https://cloud-object-storage.example.com:8443/api/v1/s3/Reports/report_dec.xlsx
If you use virtual hosted-style requests,
use the following format for your
request:
PUT https://Reports.s3.cloud-object-storage.example.com:8443/report_dec.xlsx
If
you use the request headers, use the x-amz-grant-read header and the
user ID of the grantee.
If you use the request body, see the following example of
a valid request body in JSON and XML
formats:
{
"grants": [
{
"grantee": {
"id": "ID-of-Jane-Doe"
},
"permission": "READ"
}
],
"owner": {
"displayName": "Jane Doe"
}
}<AccessControlPolicy>
<Owner>
<ID>ID-of-Jane-Doe</ID>
<DisplayName>Jane Doe</DisplayName>
</Owner>
<AccessControlList>
<Grant>
<Grantee>
<ID>ID-of-John-Doe</ID>
<DisplayName>John Doe</DisplayName>
</Grantee>
<Permission>READ</Permission>
</Grant>
</AccessControlList>
</AccessControlPolicy>
The grantee can now download the object.
-
To allow the organization user
to upload updated versions of the object to the bucket, assign Write
of Bucket permissions for the bucket.
If you use path-style requests, use the following format for your
request:
PUT https://cloud-object-storage.example.com:8443/api/v1/s3/Reports
If you use virtual hosted-style requests,
use the following format for your request:
PUT https://Reports.s3.cloud-object-storage.example.com:8443
If you use the request headers, use the
x-amz-grant-write header and the user ID of the grantee.
If you use the request body, see the
following example of a valid request body in JSON and XML
formats:
{
"grants": [
{
"grantee": {
"id": "ID-of-John-Doe"
},
"permission": "WRITE"
}
],
"owner": {
"displayName": "Jane Doe"
}
}<AccessControlPolicy>
<Owner>
<ID>ID-of-Jane-Doe</ID>
<DisplayName>Jane Doe</DisplayName>
</Owner>
<AccessControlList>
<Grant>
<Grantee>
<ID>ID-of-John-Doe</ID>
<DisplayName>John Doe</DisplayName>
</Grantee>
<Permission>WRITE</Permission>
</Grant>
</AccessControlList>
</AccessControlPolicy>
The grantee can now upload updated versions of the object to the
bucket.
-
To enable sharing the report to
internal and external users, make the object publicly readable.
If you use path-style requests, use the following format for your
request:
PUT https://cloud-object-storage.example.com:8443/api/v1/s3/Reports/report_dec.xlsx
If you use virtual hosted-style requests,
use the following format for your request:
PUT https://Reports.s3.cloud-object-storage.example.com:8443/report_dec.xlsx
Use the x-amz-acl header
with the public-read value.